The Hacker News — Cyber Security, Hacking, Technology News

Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft’s Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought.

Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix.

DISCLOSURE OF UNPATCHED BUGS, GOOD OR BAD?

Google’s tight 90-days disclosure policy seems to be a good move for all software vendors to patch their products before they get exploited by the hackers and cybercriminals. But at the same time, disclosing all critical bugs along with its technical details in the widely used operating system like Windows 7 and 8 doesn’t appears to be a right decision either. In both cases, the only one to suffer is the innocent users.

The revelation of the security flaw was also a part Google's Project Zero, an initiative that identifies security holes in different software and calls on companies to publicly disclose and patch bugs within 90 days of discovering them.

Chris Betz, senior director of the Microsoft Security Response Center, wrote that Google’s move "feels less like principles and more like a ‘gotcha’, with customers the one who may suffer as a result." He continues, "What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."

This time the search engine giant has discovered a flaw in the CryptProtectMemory memory-encrypting function found within Windows 7 and 8.1 and presents in both 32- and 64-bit architectures, which can accidentally disclose sensitive information or allow a miscreant to bypass security checks, apparently.

MICROSOFT WILL DELIVER PATCH IN FEB, 2015

Google first notified Microsoft of the vulnerability in Windows 7 and 8.1 on October 17, 2014. Microsoft then confirmed the security issues on October 29 and said that its developers managed to reproduce the security hole. The patch for the vulnerability is scheduled for Feb. 10, next Patch Tuesday.

The vulnerability was found by James Forshaw, who also discovered a "privilege elevation flaw" in Windows 8.1, which was disclosed earlier this week and drew strong criticism from Microsoft. The newly discovered bug actually resides in the CNG.sys implementation, which failed to run proper token checks.

"The issue is the implementation in CNG.sys doesn't check the impersonation level of the token when capturing the logon session ID (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session," James Forshaw says in the post disclosing the vulnerability.

"This behaviour of course might be design; however, not having been party to the design, it's hard to tell."

This is third time in less than a month when the Google’s Project Zero released details of the vulnerability in Microsoft’s operating system, following its 90-day public disclosure deadline policy. Few days ago, Google released details of a new privilege escalation bug in Microsoft's Windows 8.1 operating system just two days before Microsoft planned to patch the bug.

Google has once again released the details of a new privilege escalation bug in Microsoft's Windows 8.1 operating system before Microsoft planned to patch the bug, triggering a new quarrel between the two tech giants.

This is second time in less than a month when the Google’s security research team known as Project Zero released details of the vulnerability in Microsoft’s operating system, following its 90-day public disclosure deadline policy.

Google Project Zero team routinely finds vulnerabilities in different products from different companies. The vulnerabilities then get reported to the affected software vendors and if they do not patch the flaws in 90 days, Google automatically makes the vulnerability along with its details public.

DISCLOSURE OF TWO SECURITY HOLES IN LESS THAN A MONTH

Two weeks back, Google Project Zero team disclosed details of an elevation of privilege (EoP) vulnerability affecting Windows 8.1 that may have allowed hackers to modify contents or even to take over victims' computers completely, leaving millions of users vulnerable.

At the time, Microsoft criticized Google for disclosing the Windows 8.1 security flaw out in the public just before it was planing to fix it. According to Microsoft, the Windows 8.1 vulnerability disclosed by Google may have potentially exposed the users of the operating system to hackers.

However, releasing details with the proof of concept for the second security hole in Microsoft’s Windows 8.1 just two days before Microsoft planned to patch the bug indicates that Google project zero is determined to stick to its 90-day deadline for fixing software flaws.

MICROSOFT vs GOOGLE

Though, Microsoft is very upset with 90-day disclosure deadline enforced by Google’s Project Zero team. The team notified the new elevation of privilege flaw to Microsoft on 13 October.

In November, Microsoft asked Google for an extension of the deadline till February 2015, when it plans to address the issue. However, the search engine giant refused. But later when Microsoft promised to address the vulnerability in January Patch Tuesday, Google still refused to extend its deadline even by two days.

"We asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix," said Chris Betz, senior director with Microsoft’s Security Response Center, in a blog post Sunday. "Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result."

TECHNICAL DETAILS OF THE NEW EoP FLAW

According to Google’s security team, User Profile Service is used to create certain directories and mount the user hives as soon as a user logs into a computer. Other than loading the hives, the base profile directory is created under a privileged account, which is secure because normal user requires administrator privileges to do so.

"However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through," Google said. "Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs every time the user logs in to their account, it isn't something that only happens during the initial provisioning of the local profile."

A proof-of-concept (PoC) demonstrating the attack on Microsoft’s Windows 8.1 operating system has been published, but experts have confirmed that the vulnerability also affects Windows 7.

A Google security researcher, 'James Forshaw' has discovered a privilege escalation vulnerability in Windows 8.1 that could allow a hacker to modify contents or even to take over victims' computers completely, leaving millions of users vulnerable.

The researcher also provided a Proof of Concept (PoC) program for the vulnerability. Forshaw says that he has tested the PoC only on an updated Windows 8.1 and that it is unclear whether earlier versions, specifically Windows 7, are vulnerable.

Forshaw unearthed the bug in September 2014 and thereby notified on the Google Security Research mailing list about the bug on 30th September. Now, after 90 days disclosure deadline the vulnerability and Proof of Concept program was made public on Wednesday.

The vulnerability resides in the function AhcVerifyAdminContext, an internal function and not a public API which actually checks whether the user is an administrator.

"This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator," Forshaw wrote in the mailing list. "It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID."

"It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways."

The PoC contains two program files and some set of instructions for executing the files which, if successful, finally result in the Windows calculator running as an Administrator. According to the researcher, the vulnerability is not in Windows User Account Control (UAC) itself, but UAC is used in part to demonstrate the bug.

Forshaw tested the PoC on Windows 8.1 update, both 32 bit and 64 bit versions, and he recommended users to run the PoC on 32 bit. To verify perform the following steps:

Put the AppCompatCache.exe and Testdll.dll on disk

Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).

Execute AppCompatCache from the command prompt with the command line "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll".

If successful then the calculator should appear running as an administrator. If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.

A Microsoft spokesperson confirms the vulnerability and says that it’s already working on a fix:

"We are working to release a security update to address an Elevation of Privilege issue. It is important to note that for a would-be attacker to potentially exploit a system, they would first need to have valid logon credentials and be able to log on locally to a targeted machine. We encourage customers to keep their anti-virus software up to date, install all available Security Updates and enable the firewall on their computer."

At the time of posting this article, there's no patch available and all Windows 8.1 systems are vulnerable to hackers.

If you don’t know yet, Microsoft is offerings up to $100,000 in exchange for finding vulnerabilities and exploits in the upcoming Windows 8.1 Preview which is expected to launch on June 26, the same time as the Microsoft Build Developer Conference.

Qualifying submissions with accompanying defensive ideas will also be eligible for a BlueHat Bonus worth up to $50,000. “These are super challenging to discover and they require a new technique,” says Mike Reavey, director of Microsoft’s Security Response Center.

Windows 8.1 is a major update to Microsoft's brand new operating system Windows 8, and given the serious bounty on offer, Microsoft clearly wants to leave nothing to chance as far as securing the operating system is concerned.

"Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would," he said.

Microsoft’s senior security strategist, Katie Moussouris, noted that the company is giving out rewards because Microsoft doesn’t want to wait for another competition to learn about exploitation techniques.

Also Microsoft is offering up to $11,000 for critical vulnerabilities that affect Internet Explorer 11 Preview in Windows 8.1 Preview. "Most organization don’t offer bounties for software in beta, so some researchers would hold onto vulnerabilities until the code is released to manufacturing,".

Taking such steps is part of a smart strategy on Microsoft’s behalf to make sure users get the finest experience out of the yet-to-be-released update with as a best user security ensured as possible.

Microsoft is not the first company to start this kind of program. Many companies launched similar programs in order to find exploits and improve their products.

The bounty being offered by Microsoft will be the highest by a tech company for a bug bounty reward program. The web giant Google reportedly pay between $500 and $1,333.70 for flaws in its web browser Google Chrome and up to $20,000 for dangerous vulnerabilities in its web services like search engine Google, video web search Youtube, web-based email service Gmail, etc

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!